IBM’s Siri ban highlights companies’ privacy, trade secret challenges

Apple's Siri is persona non grata at IBM, and it's just the beginning.

Apple's digital "assistant" Siri isn't welcome at IBM; neither are Apple's voice dictation features in the iPhone and iPad. IBM CIO Jeanette Horan revealed in an interview with Technology Review that the company turns off Siri on employees' iPhones for fear that the service stores employees' queries somewhere outside of IBM's control. The move highlights some of the problems large enterprises face when employees begin using their own devices at work.

The revelation is making waves among the Apple blogosphere, but the company's policy isn't actually all that surprising. Siri—and Apple's voice dictation features—send voice commands through the Internet to Apple's servers for processing before returning a text result. Apple doesn't make it clear whether it stores that data, for how long, or who has access to it. (As noted by our friends at Wired, this behavior from Siri is what caused the ACLU to post a warning about the technology in March of this year.) IBM most likely wants to protect its trade secrets, which is why it wouldn't want any sort of spoken data from employees being stored on Apple's servers.

What is surprising? It appears that not many companies have joined IBM in forbidding the use of Siri for security purposes. I asked on Twitter whether anyone else's companies have a similar policy, and received extremely few responses saying yes. The only people—so far—who have acknowledged any kind of Siri policy were government workers and some school employees. Most said their employers had not yet added Siri to their list of forbidden technologies.

Some responses did point out that their employers blocked the use of Google's services for the same reasons (storing data on Google's servers), implying that corporations are still catching up on what kind of risks Siri and voice dictation services might present. "I figure a big reason that Siri use is not on the radar screen yet is because the idea of harvesting information from voice inquiries is not as self-evident as it would be if the employees were transmitting written text to the platform provider," Chicago-based intellectual property lawyer Evan Brown told Ars. "We think of voice communications as ephemeral, not intuitively realizing that for the machine that is Siri to process it, it must be transformed into another medium (text) for processing."

On his blog, Brown went into further detail about IBM's protection of trade secrets. "[A] company can enforce its exclusive rights to possess and use information that (1) gives that company a competitive advantage, and (2) which is subject to efforts to keep secret. That latter part—keeping the information secret—is a big reason for nondisclosure agreements, password protected servers, and sensible restrictions on employee use of third party technologies (like social media and search tools like Siri)," he wrote.

When speaking to Ars, Brown also pointed out that IBM and its ilk are probably only the beginning when it comes to banning Siri. Other industries, like law and medicine, may soon follow due to laws related to attorney-client privilege or patient-doctor privilege. "Come to think of it, a person really wouldn't want their doctor asking too many questions of Siri to practice medicine anyway!" he added.

I think using personal devices for work is just a bad idea. If you are required to use a digital tool in the course of your job, and you cannot do the job otherwise, you need to be provided with that tool. What happens when it's broken? Someone tosses it down a stairwell? Who pays for what percentage? Details, details... and often nobody stops to think until they're standing over the wreckage and don't have the $$ to pay for part of a replacement.

Making matters even more complex is the battles that most IT people have had to fight, and are finally (from what I see anyways) getting support for - patching, locking down devices, etc. A personal device throws all that out the window. How do you, as an enterprise IT person, manage this? All the work and cost putting in infrastructure to support multiple platforms (Windows, Android, BB, iOS), all the reference and test devices, testing against different versions, etc... can be mitigated by a single enterprise solution, and a couple of devices. I've had experience with this, and to be blunt... it's a fucking nightmare. Especially when you start dealing with specialty applications / line of business applications that do not have iOS, BB, or Android "apps" for them.

I have no problem carrying two phones; one for work, one for personal use. They do not ever get used for reasons outside their purpose. And when I do not want to be reached, I can leave the work phone at home.

Why do we continue this march to blurring the lines between our personal and business lives? There's Facebook and LinkedIn. One has a personal purpose, the other has a business purpose. Don't blur them. The same should ring true about personal devices in the workplace. They have no reason to be there, and the advantages are quickly tossed out once you take all the logistics of multiple platform support into consideration.

Or does everyone want to ensure those drunken stag party pictures on your phone are synced with the company's cloud?

**edit** I worked with several government, health care, and other organizations that deal with restricted and private information in the past, and they could care less about potential data leak hazards when you compare it to the organization paying for your shiny new iPad.

^^ This. There should be a clear split between personal and work devices. This improves security, accountability, and personal privacy.

I think using personal devices for work is just a bad idea. If you are required to use a digital tool in the course of your job, and you cannot do the job otherwise, you need to be provided with that tool. What happens when it's broken? Someone tosses it down a stairwell? Who pays for what percentage? Details, details... and often nobody stops to think until they're standing over the wreckage and don't have the $$ to pay for part of a replacement.

Making matters even more complex is the battles that most IT people have had to fight, and are finally (from what I see anyways) getting support for - patching, locking down devices, etc. A personal device throws all that out the window. How do you, as an enterprise IT person, manage this? All the work and cost putting in infrastructure to support multiple platforms (Windows, Android, BB, iOS), all the reference and test devices, testing against different versions, etc... can be mitigated by a single enterprise solution, and a couple of devices. I've had experience with this, and to be blunt... it's a fucking nightmare. Especially when you start dealing with specialty applications / line of business applications that do not have iOS, BB, or Android "apps" for them.

I have no problem carrying two phones; one for work, one for personal use. They do not ever get used for reasons outside their purpose. And when I do not want to be reached, I can leave the work phone at home.

Why do we continue this march to blurring the lines between our personal and business lives? There's Facebook and LinkedIn. One has a personal purpose, the other has a business purpose. Don't blur them. The same should ring true about personal devices in the workplace. They have no reason to be there, and the advantages are quickly tossed out once you take all the logistics of multiple platform support into consideration.

Or does everyone want to ensure those drunken stag party pictures on your phone are synced with the company's cloud?

**edit** I worked with several government, health care, and other organizations that deal with restricted and private information in the past, and they could care less about potential data leak hazards when you compare it to the organization paying for your shiny new iPad.

^^ This. There should be a clear split between personal and work devices. This improves security, accountability, and personal privacy.

... You can pretty much guarantee ppl who insist in using their own devices are either one of these things or both.

1. They will spill trade secrets and company business in an insecure manner.2. They dont care if company info is out in the wild.3. They are probably too stupid to understand the consequences and/or theydont care.4. They all think theyknow what they are doing and i.t. Do not.

Thank you for confirming what I prejudicially assumed about IT: [troll feeding rant deleted by poster]

From the Ars posting policy:

3. No trolling. Don't make posts that are inflammatory just to get people riled up. Attacking other members of our community is not acceptable. Substance is a key to not being labeled a troll, but substance alone cannot prevent you from being considered a troll. Substance with a dash of personal attacks will get you labeled as a troll. 4. Ad hominem and personal attacks are not permitted. Again: criticize the ideas, not the people. An ad hominem attack is a logical fallacy describing the attempt to discredit an argument by merely attacking the credibility of the arguer.

I don't get why this is more of a concern than, say, Google or other text-based search engines...they all save your queries in some fashion even if it's not necessarily tied directly to your account. It seems odd that Siri would be banned but regular search engines would not be.

I don't get why this is more of a concern than, say, Google or other text-based search engines...they all save your queries in some fashion even if it's not necessarily tied directly to your account. It seems odd that Siri would be banned but regular search engines would not be.

You wouldn't be typing in the full SMS message or a reply to an email, or a note with confidential data into a search engine. With Siri you might just do that...

I don't get why this is more of a concern than, say, Google or other text-based search engines...they all save your queries in some fashion even if it's not necessarily tied directly to your account. It seems odd that Siri would be banned but regular search engines would not be.

You wouldn't be typing in the full SMS message or a reply to an email, or a note with confidential data into a search engine. With Siri you might just do that...

Well, I don't necessarily agree with that. I think people are just as likely to put sensitive information into a search engine. The key words of interest will still be the same whether it's in a sentence you say or just the keywords in a textbox. I would say that's not even the point though. The point is that you CAN input the same information so it creates the same risk of data exposure.